[00:05.150 --> 00:10.760]  Hi everybody, it's Evil Mog from Team Hashcat and also X-Force Red. I'm here to talk to you
[00:10.760 --> 00:17.480]  all about a fantastic chain of vulnerabilities that leads to domain admin. I call this Printers
[00:17.480 --> 00:23.440]  to Domain Admin. So, first off, what we're going to be exploiting is this wonderful feature that
[00:23.440 --> 00:29.980]  Tifkin from SpectroOps discovered called the MSRPRN Print Spooler Bug. Basically what it does
[00:29.980 --> 00:37.980]  is it's a feature to have a domain controller tell a client where its printers are. Now,
[00:38.680 --> 00:44.440]  any user can request this packet to be sent to them. And what it can also do is try and
[00:44.440 --> 00:50.400]  enforce authentication. Now, if the client says, hey, I only support NTLM version 1
[00:50.400 --> 00:54.440]  and the domain controller is trying to authenticate to them, it will authenticate using
[00:54.440 --> 01:00.980]  its machine account. That machine account can then be reversed from NTLM version 1 to NTLM.
[01:02.120 --> 01:09.640]  And once reversed to NTLM, we can create a silver ticket and then DC sync the server. So with that,
[01:09.640 --> 01:15.200]  let's begin. The first thing we're going to need to do is find out the domain SID of the machine
[01:15.200 --> 01:20.240]  we're going to attack. Now, we're going to specify that we start off with domain user credentials.
[01:20.980 --> 01:24.740]  And so we are already a regular domain user. We would have gotten this through
[01:24.740 --> 01:29.860]  Responder, some other method, or being a legit user on the network. So we'll run enum for Linux
[01:32.440 --> 01:41.360]  on 192.168.1.3 on my mog.localdomain. Now we're going to see a whole bunch of stuff.
[01:41.360 --> 01:48.100]  So we have to scroll up and we're going to see the domain SID is right here.
[01:48.980 --> 01:51.700]  This is the security identifier for the domain,
[01:51.700 --> 01:57.720]  and it did not require any credentials to pull. So we're going to go export SID equals.
[01:59.720 --> 02:04.600]  And quotes, even though these aren't required, I put them around just out of my own safety sake,
[02:04.600 --> 02:11.500]  because I've been burned once or twice. So we now have the SID. Fantastic. Next thing we're
[02:11.500 --> 02:16.980]  going to need is ready to go use our credentials on the net NTLM silver ticket repo with a tool
[02:16.980 --> 02:32.700]  called Dementor. So we're now in the repo, so we're going to go dot slash or Python Dementor.py.
[02:36.430 --> 02:42.670]  So in order to use Dementor, we need a domain username, which is going to be evilmog.
[02:43.710 --> 02:49.470]  We need a password. In this case, password is password with an exclamation mark.
[02:49.970 --> 02:53.510]  Yes, this is a demo. Yes, it's junk. I'm okay with this.
[02:53.930 --> 02:56.630]  Now we're going to use a domain. Domain name will be log.
[02:58.690 --> 03:02.210]  Next thing we're going to do is go into another window. We're going to set up Responder. So
[03:02.210 --> 03:11.850]  Responder interface at eth0. Yeah, let's go with that.
[03:14.070 --> 03:18.170]  And now we're going to fire over to Dementor and fire off the authentication back at us.
[03:18.170 --> 03:24.770]  Next thing we need is the listener IP. So the IP range on this, sorry, it was, yeah,
[03:24.770 --> 03:30.210]  listener and target. So dollars attacker IP. I've pre-exported mine because I can't remember what
[03:30.210 --> 03:39.460]  it was. And we're going to go with the target IP. It's going to send the attack. We're seeing access
[03:39.460 --> 03:47.120]  denied. Here we'll see an NTLM version one SSP hash. Now we'll see I attempted to go set this
[03:47.120 --> 03:55.620]  as 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8 for the client challenge, but it zeroed out these.
[03:55.620 --> 04:00.980]  I could have specified tac-tac-lm and it would have gotten me a better result. But in this case,
[04:00.980 --> 04:06.280]  I wanted to demonstrate NTLM version one with SSP on video because it's fun. So we're going to copy
[04:06.280 --> 04:12.480]  this. I'm now going to go into my NTLM version one multi-tool.
[04:15.160 --> 04:22.840]  Python until v1.py. We're supposed to find NTLM and our hash.
[04:24.360 --> 04:29.280]  Now, if you want to use crack.sh and pay $200, you absolutely can. The other option is we're
[04:29.280 --> 04:34.360]  going to do this with hashcat. Now this will normally take you about three to five days with
[04:34.780 --> 04:41.880]  from 16 to 32 GPUs or cost you about $1,000 in AWS time. I haven't timed this up for a while,
[04:41.880 --> 04:47.520]  so my numbers might be inaccurate, but on 16 GTX 1080s, it takes about four days,
[04:47.520 --> 04:52.300]  five. So what we're going to do is we're going to copy this. We're going to copy the 14,000 hash
[04:52.300 --> 04:57.680]  because it's already ready to go into hashcat. We're going to go into my hashcat directory,
[04:57.680 --> 05:05.000]  paste that, just to make sure it's a fresh file, nothing up my sleeve.
[05:06.360 --> 05:10.260]  Now we're going to take the command it told us to crack it with hashcat,
[05:10.260 --> 05:15.680]  telling us to use mode 14,000, attack mod 3, which is a brute force,
[05:15.680 --> 05:23.220]  using the DES character set, and our attack type, RDP04. Now, because I have a time machine,
[05:23.220 --> 05:33.320]  it's going to crack instantly. Oops. Perfect. See, it's already cracked instantly. So let's
[05:33.320 --> 05:40.620]  go show these hashes right now. So here we have the portion of the NTLM, but it's actually being
[05:40.620 --> 05:49.420]  returned as a DES key. We need to convert these DES keys into a portion of an NTLM. So we're
[05:49.420 --> 06:01.220]  going to throw up my hashcat, utils, src, and we're going to want the DES key to NTLM portion.
[06:02.120 --> 06:19.880]  So here is part one. We are then going to do part two. Back over here, part two.
[06:22.900 --> 06:26.460]  Now the most important part, we're also going to have to calculate
[06:26.460 --> 06:35.280]  the last four characters of the NTLM. Again, there's already a hashcat utility for that,
[06:35.280 --> 06:43.580]  so we're going to go into git slash hashcat utils, src, and then we are going to use a profile
[06:46.080 --> 06:56.440]  ct3 to NTLM. But it already tells us that because we do the paste,
[06:57.200 --> 07:06.760]  and there we are. We have our NTLM. So the NTLM is going to be part one, part two,
[07:07.880 --> 07:19.350]  and part three. Fantastic. So now we're going back into our handy dandy utility.
[07:21.410 --> 07:30.450]  Export NTLM equals... now to prove there's nothing up my sleeve on this one, crack map exec
[07:32.290 --> 07:37.770]  smb192.168.1.3. Username is going to be
[07:38.770 --> 07:46.550]  dc1$, because that means it's a machine account. We're going to use the hash of $NTLM.
[07:49.430 --> 08:01.370]  And there we are. We've authenticated as the domain machine account. Now we're going to
[08:03.870 --> 08:13.600]  do a grep. There we are. So we're going to run ticular. Now this command is a little bit
[08:13.600 --> 08:17.800]  complex. So first we're going to run Python. We're going to select where our ticular location is.
[08:17.800 --> 08:24.080]  We're going to use the NTLM hash, which we'll see here is 1D. Matches right up with what we have
[08:24.080 --> 08:30.300]  here ending in 904C. So that's your NTLM hash for the machine account. There is the domain SID that
[08:30.300 --> 08:38.100]  we captured earlier. That is this S121 here using enum for Linux. The domain name here is
[08:38.100 --> 08:45.380]  mog.local. Now the important part is the SPN. SPN is a service principal name. So in this case,
[08:45.380 --> 08:51.100]  we know it's a machine. So we know it's dc1. We know it's in mog.local. All domain controllers
[08:51.100 --> 08:58.680]  by default will or should in most cases have a host slash for their SPN. So we can guess that
[08:58.680 --> 09:05.920]  this machine's SPN or look at it in Bloodhound. But in this case, we guessed host slash dc1.mog.local
[09:05.920 --> 09:10.820]  and then the administrator. Guessing it's administrator probably is. A lot of people
[09:10.820 --> 09:15.420]  change it, but that is how we create our silver ticket. Now I'm going to hit enter.
[09:16.220 --> 09:22.640]  It's going to create this Kerberos cache file for you. Now you need to go run an export. So
[09:22.640 --> 09:34.120]  because I keep forgetting this in DAX. History, grep export, grep ccache, head dash n1. There
[09:34.120 --> 09:48.510]  we go. Export. So we've specified here's where our cache file is. Now we're to proceed to secrets
[09:48.510 --> 10:12.080]  dump the domain controller. grep secrets dump, grep .k, head dash n1. There we go. So we're
[10:12.080 --> 10:18.740]  going to run secrets dump. The syntax for this one is going to be, you know, our Python 3 secrets
[10:18.740 --> 10:25.760]  dump. Dash k means use Kerberos. Tac no, tac pass means don't ask for a password. We're to specify
[10:25.760 --> 10:32.480]  mog at the domain mog administrator at dc1.mog.local. And we're going to dc sync the...
[10:42.980 --> 10:47.440]  Interesting. This happens. Let's go take a look.
[10:55.860 --> 11:02.480]  There we go. Just used the right tool. So we've used our... So the syntax for this one was Python
[11:03.140 --> 11:08.580]  running secrets dump. Our target was administrator at dc1.mog.local.
[11:08.820 --> 11:14.560]  Dash k was use Kerberos. Tac no, tac pass was don't ask for us for the password. And here we
[11:14.560 --> 11:21.640]  see our administrator hash, our guest hash, and our machine account, which we just finished
[11:21.640 --> 11:29.540]  extracting. So that is how you silver ticket a domain controller and dc sync it with just a
[11:29.540 --> 11:36.260]  regular domain user. Now for mitigations on this, what you're going to wind up doing is there's a
[11:36.260 --> 11:46.200]  setting called the landman compatibility level. I'll include a link to it in the slides for this.
[11:46.340 --> 11:50.360]  There's a setting that we're set for two or lower, which basically means allow ntlm.
[11:50.360 --> 11:54.620]  That's what, if you increase that setting to five, that will completely block this. The other
[11:54.620 --> 11:59.820]  mitigations are disable the print spooler service on any sensitive servers such as domain controllers.
[12:00.080 --> 12:05.600]  Now this will cause an impact on some environments as clients will no longer be able to update their
[12:05.600 --> 12:11.040]  printer list, but hopefully you have a better way of pushing printers such as SCCM. So that is the
[12:11.040 --> 12:17.420]  one downside, but it will prevent domain controllers from reaching out. This works up until server 2016.
[12:18.360 --> 12:24.020]  I have not seen it work in server 2019, and it again depends on your landman compatibility level.
[12:24.520 --> 12:29.940]  Thank you very much for tuning in. This has been Evil Mog from X-Force Red and Team Hashcat.
